While using third parties is a regular aspect of doing business, these third-party business relationships do not come without risks. Our Asia-Pacific Fraud Survey shows that fifty-five percent of organizations in Asia-Pacific believe risks are more likely to arise from third parties than from internal staff.

CFOs are becoming more influential and are increasingly looked to by boards for their views on compliance matters. In addition, regulators and other external stakeholders rely on the CFO as a key interface with the company.

Due diligence is a critical component of the compliance framework for companies to determine the trustworthiness of a third party. In making such an evaluation, CFOs need to heed red flags that may appear.

CFOs also need to strategically invest their time and resources in forensic data analytics and frequent compliance audits, as these form the basis of a strong monitoring system for third-party relationships.

Knowing your third party

Recent prosecutions by regulators demonstrate that companies can be liable for the actions of third parties acting on their behalf.

Fines make headlines but they do not tell the whole story. Companies also have to bear hidden penalties such as the investigation cost, reputational damage, loss of business opportunities while undergoing investigations, risk of class action litigation, and the cost of remediation.

The UK Bribery Act and the US Foreign Corrupt Practices Act (FCPA) require companies to apply third-party due diligence procedures.

Weak systems and controls in Asia-Pacific

Types of third parties representing the biggest compliance risk

Q: Which type of third parties represents the biggest compliance risk to your company? Base: All respondents (681)

Although it is expected by regulators, only 65% of respondents say that all of their third parties are required to comply with their company’s anti-bribery/anti-corruption code (ABAC) of conduct, according to our Asia-Pacific Fraud Survey.

Due diligence helps CFOs understand third parties better

Performing third-party due diligence is critical, as it represents a systematic and consistent effort to vet business relationships tiered by levels of inquiry based on a thorough business inventory and risk assessment.

It helps CFOs to not only understand the third parties, with whom the company will be contracting, but also the broader context in which they will operate.

How to undertake comprehensive due diligence

Create risk profiles by understanding the cultural and business norms, prior incidents of fraud, previous litigation and adverse press, other non-performance contracts within the industry and geography, or the experience of their peers

Have complete transparency in the way that the third party is remunerated not just in its fees or commissions, but in its expenses

Structure to apply the company’s travel and entertainment expense policy appropriately to third parties

Go deep enough to include the beneficial ownership of the third party and its reputation

Red flags that CFOs need to be aware of

Omission of certain key personnel/shareholders

A lack of information or trading history This factor alone would not rule out start-ups.

A business address in a non-commercial zone or at service office suites

Low capitalized company Suppliers with small capital base could be acting merely as middlemen for undisclosed suppliers, which pose a further risk.

Tampering or irregularities with the tendering process This includes the acceptance of late bids, bids being accepted despite failings in technical specifications or scoring, and bids at or very close to set budgets.

Assist internal audit and compliance teams to focus on potentially anomalous transactions across business functions and enhance their focus of reviews in times where costs are being heavily scrutinized

Allow companies to continuously evolve and adapt internal policies and procedures to mitigate risk from the onset, leading to a proactive response to potential issues rather than reactive investigations after it happens

Help companies quickly and efficiently identify any red flags that suggest they should be on guard for potential ABAC policy breaches

Quantify the actual impact of fraudulent behavior and identify the amount of revenue generated from kickbacks for potential FCPA or UK Bribery Act violations, minimizing the assessment of fines by regulators

Reds flags commonly detected by FDA

Multiple suppliers with same address Shared or similar addresses, contact details or bank accounts are potential red flags, as are overly close relationships within a small group of local vendors.

Relevant CFO Resources

Exclusive Sponsor

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.